> I kept it at 10 requests per second because I was not trying to DDoS anyone.

You can't really DDoS S3 on a $20 node.

> AWS does not tell you when your bucket is being scanned.

I wonder if that even makes sense; the "scanning" is just a single request to a public bucket, and they can't infer that the bucket isn't supposed to be public. In theory AWS could flag the IP that's sending requests to thousands of buckets.